Skip to content

Commit

Permalink
Add more CORS regex tests and fix the CORS regex example
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Jul 18, 2023
1 parent b29c43f commit ec048fb
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 4 deletions.
9 changes: 7 additions & 2 deletions docs/src/main/asciidoc/http-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -363,15 +363,20 @@ Here's what a full CORS filter configuration could look like, including a regula
[source, properties]
----
quarkus.http.cors=true
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\.app\\.mydomain\\.com/
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
quarkus.http.cors.methods=GET,PUT,POST
quarkus.http.cors.headers=X-Custom
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
----

`/https://([a-z0-9\\-_]+)\\.app\\.mydomain\\.com/` is treated as a regular expression because it is surrounded by forward slash characters.
`/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/` is treated as a regular expression because it is surrounded by forward slash characters.

[NOTE]
====
If you use regular expressions, make sure 4 backward slashes are used to represent `.` and other metadata regular expression characters as normal characters, for example, `\\\\.` represents a `.` character while `\\.` represents a metadata regex character allowing for any character.

Check warning on line 378 in docs/src/main/asciidoc/http-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsWarnings] Consider using 'verify' rather than 'make sure' unless updating existing content that uses it. Raw Output: {"message": "[Quarkus.TermsWarnings] Consider using 'verify' rather than 'make sure' unless updating existing content that uses it.", "location": {"path": "docs/src/main/asciidoc/http-reference.adoc", "range": {"start": {"line": 378, "column": 33}}}, "severity": "WARNING"}
====

=== Support all origins in devmode

Check warning on line 381 in docs/src/main/asciidoc/http-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.HeadingPunctuation] Do not use end punctuation in headings. Raw Output: {"message": "[Quarkus.HeadingPunctuation] Do not use end punctuation in headings.", "location": {"path": "docs/src/main/asciidoc/http-reference.adoc", "range": {"start": {"line": 381, "column": 1}}}, "severity": "INFO"}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@ public void corsRegexValidOriginTest() {
.header("Access-Control-Allow-Origin", "https://asdf.domain.com");
}

@Test
public void corsRegexValidOrigin2Test() {
given().header("Origin", "https://abc-123.app.mydomain.com")
.when()
.get("/test").then()
.statusCode(200)
.header("Access-Control-Allow-Origin", "https://abc-123.app.mydomain.com");
}

@Test
public void corsRegexInvalidOriginTest() {
given().header("Origin", "https://asdfdomain.com")
Expand All @@ -33,4 +42,13 @@ public void corsRegexInvalidOriginTest() {
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}

@Test
public void corsRegexInvalidOrigin2Test() {
given().header("Origin", "https://abc-123app.mydomain.com")
.when()
.get("/test").then()
.statusCode(403)
.header("Access-Control-Allow-Origin", nullValue());
}
}
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
quarkus.http.cors=true
quarkus.http.cors.origins=/https:\\/\\/(?:[a-z0-9\\-]+\\\\.)*domain\\\\.com/
quarkus.http.cors.origins=/https:\\/\\/(?:[a-z0-9\\-]+\\\\.)*domain\\\\.com/,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
public class CORSFilter implements Handler<RoutingContext> {

private static final Logger LOG = Logger.getLogger(CORSFilter.class);
private static final Pattern COMMA_SEPARATED_SPLIT_REGEX = Pattern.compile("\\s*,\\s*");

// This is set in the recorder at runtime.
// Must be static because the filter is created(deployed) at build time and runtime config is still not available
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ public void isOriginAllowedByRegexTest() {
Optional.of(Collections.singletonList("/https://([a-z0-9\\-_]+)\\.app\\.mydomain\\.com/")));
Assertions.assertEquals(regexList.size(), 1);
Assertions.assertTrue(isOriginAllowedByRegex(regexList, "https://abc-123.app.mydomain.com"));
Assertions.assertFalse(isOriginAllowedByRegex(regexList, "https://abc-123app.mydomain.com"));
}

@Test
Expand Down

0 comments on commit ec048fb

Please sign in to comment.